From: dwalsh@redhat.com (Daniel J Walsh) Date: Mon, 01 Mar 2010 08:39:13 -0500 Subject: [refpolicy] Possible regression and bug in userdom_base_user_template In-Reply-To: <20100301102220.GF3990@myhost.felk.cvut.cz> References: <20100301102220.GF3990@myhost.felk.cvut.cz> Message-ID: <4B8BC381.8060601@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 03/01/2010 05:22 AM, Michal Svoboda wrote: > > Christopher J. PeBenito wrote: > >> The Fedora list is more appropriate for this discussion, as these rules >> are specific to the Fedora policy. >> > Okay, it seems so, thanks. But the usr_t rule remains in refpolicy too. > Is the reasoning here the same? That is > > Daniel J Walsh wrote: > >> Executing usr_t is not that big of a security risk. >> > ... because from the purity point of view it would seem that usr_t > should be a label of read only, non-executable files. > > Michal Svoboda > > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > Yes if my goal was to have anyone who uses an SELinux system, to totally understand the difference, but my goal is to have the largest possible segment of computer users gain some protection for SELinux. Forcing them to label every package in the world correctly or blowing up the application for very little increased security is just nuts. Right now I have SELinux usage in Fedora at > 70% If I turned off unconfined_t and unconfined initrc_t and started preventing execution of usr_t, I would bet that number would collapse. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100301/1f7b49ee/attachment.html